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Specifications for reactive systems often consist of environment assumptions and system guarantees. 
An implementation should not only be correct, but also robust in the sense that it behaves reasonably 
even when the assumptions are (temporarily) violated. We present an extension of the requirements 
analysis and synthesis tool RATSY that is able to synthesize robust systems from GR(1) specifica- 
tions, i.e., system in which a finite number of safety assumption violations is guaranteed to induce 
only a finite number of safety guarantee violations. We show how the specification can be turned 
into a two-pair Streett game, and how a winning strategy corresponding to a correct and robust im- 
plementation can be computed. Finally, we provide some experimental results. 

1 Introduction 

Property synthesis automatically creates systems from formal specifications |6l[TTll2|j. Synthesized sys- 
tems are correct-by-construction. Recently there has been a lot of progress in making property synthesis 
practical lflQl l4ll3l. One remaining problem is that synthesized systems often do not behave reasonably 
in unexpected situations, e.g., when environment assumptions are violated. 

Many specifications consist of environment assumptions and system guarantees. For both we dis- 
tinguish between safety and fairness properties. Safety guarantees must be fulfilled only if all safety 
assumptions are satisfied. If a safety assumption is violated, the system is allowed to behave arbitrarily. 
Safety assumptions may be violated due to a buggy environment, operator mistakes, radiation-related 
bit-flips, etc. The latter issue in particular is becoming more serious, due to continuously decreasing 
feature sizes lfT2l . Clearly, if safety assumptions are violated, the system may not be able to fulfill all 
safety guarantees. However, it should try to recover if the environment does. Unfortunately, synthesized 
systems sometimes stop performing any useful interaction once a safety assumption has been violated. 

We present an extension of the requirements analysis and synthesis tool RATSY [2], which synthe- 
sizes robust systems from GR(1) specifications ifTOl . In J5), we introduced a notion of a failure in a safety 
specification, along with a notion of recovery. A system is robust if finitely many environment failures 
induce only finitely many system failures, where a system failure is a violation of a safety guarantee, and 
an environment failure is a violation of a safety assumption. Note that this condition can be encoded as 
a Streett pair. 

In HI, we described how a GR(1) specification can be turned into a one-pair Streett game such that a 
winning strategy corresponds to a correct implementation. Consequently, the combination of the Streett 
pair for the GR(1) game and the Streett pair for robustness leads to a two pair Streett game, which we 
solve using the algorithm of 0. In this paper, we show this approach using an example and show 
experimental results for robust synthesis. 
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Different notions of robustness have been studied in different settings. In |3), robustness for safety 
specifications is considered. Synthesis is done using one -pair Streett games. We use the same notion of 
robustness but consider GR( 1) specifications. Robustness for liveness is addressed in [ 1] : for any number 
of violated assumptions, the number of violated guarantees must be as low as possible. We use their idea 
of transforming GR(1) into Streett games via a counting construction. In JSJ, robustness is not defined 
in terms of assumption and guarantee violations, but using metrics on the state of a system. Synthesis 
is performed via special automata incorporating these metrics. Robustness of sequential circuits is also 
addressed in Q. Inputs are divided into control and disturbance variables. A system is robust if a finite 
number of changes in disturbance inputs result in a bounded number of changes in the output. Synthesis 
is not addressed. 

The rest of this paper is organized as follows. Section|2]presents an example to illustrate the problem. 
Section [3] explains our method to synthesize robust systems. Section [4] explains the computation of a 
winning strategy for two-pair Streett games in more detail. In section [5j our method is applied to an 
example. Section|6]presents experimental results and concludes. 

2 Illustration of the Problem 

Consider the specification of a simple arbiter for a resource shared between two clients. The input 
signals r\ and r2 are used by the clients to request access to the resource. The arbiter grants access 
via the output signals gi and gj. The system must fulfill the following safety requirements. First, the 
system is never allowed to raise both grant signals at the same time. In LTL syntax, this can be written as 
G\ = G-i(gi hgi). Second, a request has to be followed immediately by a grant, which can be formalized 
by the guarantees G2 = G(n — > Xgi) and G3 = G(r2 — > Xga)- Finally, it is assumed that the environment 
never raises both request signals at the same time: A = G — i(ri A r^). Combining the three guarantees and 
the assumption results in the specification (p = A — > G\ A G2 A G3. It requires the arbiter to satisfy all 
three guarantees, if the assumption is fulfilled. 



T 




Figure 1: Synthesized Finite State Machines. 



One possible implementation of q> (in form of a finite state machine) is shown in Figure [jja). If the 
environment assumption is violated, i.e., r\ and Y2 are raised at the same time, the machine enters state 
S3, and will remain there forever. Irrespective of future inputs, both grant signals stay low, therefore G2 
and G3 will not be fulfilled anymore. This is not robust: a finite number of environment errors leads 
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to an infinite number of system errors, i.e., the system does not recover. Our new synthesis algorithm 
guarantees that this cannot happen. Instead, our approach may lead to an implementation as shown in 
Figure [jjb), which does not exhibit the aforementioned weakness. If two requests occur simultaneously 
now, one will be discarded while the other one will be granted. Once the environment resumes correct 
behavior, the system will also fulfill all its guarantees again. 

3 Robust Synthesis from GR(1) Specifications 

A GR(1) specification consists of environment assumptions and system guarantees. There are two kinds 
of assumptions and guarantees. Safety properties encode conditions which have to hold in all time 
steps. Fairness properties are conditions which have to hold infinitely often. The safety specifications 
are given as safety automata that are deterministic but not complete. Intuitively, a word fulfills safety 
specification if it has a run in the safety automaton. 

GR(1) synthesis is performed as follows |Tj. First, the specification is transformed into a one -pair 
Streett game via a counting construction. The safety properties are encoded directly into the transition 
relation of the Streett game. The fairness properties are expressed via the Streett pair. For m fairness 
assumptions G FA,- (with 1 < i < m) and n fairness guarantees G FGj (with 1 < j < n), the state-space 
is extended with two counters x G {0, . . .m} and y £ {0, . . .«}, which can be encoded with [log 2 (m + 
1)] + [~log 2 (« + 1)1 additional bits. The counter x is incremented modulo m + 1 whenever assumption A x 
(corresponding to the current counter value) is satisfied; similarly for y, G y , modulo n + l. If a counter 
has the special value 0, it is always incremented. The counter value x = indicates that all A,- have been 
satisfied in a row; y = indicates the same for all Gj. Hence, the condition (G Fjc = 0) — > (G Fy = 0), 
expressed by the Streett pair ((x = 0),(y = 0)), ensures that the liveness part of the specification is 
encoded properly in the game. A winning strategy for this game corresponds to a correct implementation. 

In order to obtain a system which is also robust, we extend the safety specifications. We add 
Boolean variables ok e and ok s . We then label all existing edges in the environment safety automaton 
with ok e = true and add edges from any state to any other state with ok e set to false, and similar for the 
system automaton. Thus, the automata become complete, but variable ok e is set to false whenever the 
environment violates some safety assumption, ok s is set to false iff the system violates a safety guarantee. 
Our notion of robustness can now be formulated using the condition (G F-<ok s ) — > (G F-<ok e ), which is 
expressed by the Streett pair ((-io/c. v ), (-<ok e )). An infinite number of system errors is only allowed if 
there is an infinite number of environment errors. 

A winning strategy for the two-pair Streett game corresponds to a correct and robust implementation. 
We use a recursive fixpoint algorithm to compute the winning region 0. Intermediate results of this 
computation can be used to obtain the winning strategy. 

4 Computing a Winning Strategy for Streett(2) 

Figure [2] shows the algorithm to compute the winning region of a Streett game (9). The input Set is a 
set of Streett pairs (a,b). The function pr(X) returns the set of states from which the system can force 
the play into X in one step. LFix and GFix represent least and greatest fixpoint computations over sets 
of states. The operators &, I and ! perform intersection, union, and complementation of sets. 

The following discussion assumes Set={(a\,bi), (02,^2)}- Let Y\ be the fixpoint in Y for the first 
Streett pair in the top-level call to Str. Y2 is the result for the second pair. We denote the iterates of 
these fixpoint computations by Y\q...Y\C\ an d l2,o • ■ -^2,c 2 - F° r both Streett pairs, the function Str 
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Func main_Streett ( Set ) 
If (| Set |=0) 

3 Return mStr ( true , false ) ; 

4 Return Str ( Set , true , f alse ) ; 

5 End Func main_Streett ( Set ) 



Func mStr ( sng , rt ) 
GFix(X) 

3 X = rt | sng & pr (X) : 

4 End GFix(X) 

5 Return X; 
End mStr 



Func Str ( Set , sng , rt ) 
GFix(Z) 
Foreach (<a,b> in Set) 
nSet = Set - <a,b>; 
pi = rt | sng & b & pr(Z); 
LFix(Y) 
p2 = pi | sng & pr(Y) ; 
If (|nSet|=0) 

Y = mStr(sng & !a,p2); 
Else 

Y = Str(nSet , sng&!a,p2) ; 
End — LFix(Y) 

Z = Y; 
End — Foreach (<a,b>) 
End — GFix(Z) 
Return Z ; 
End — Str 



Figure 2: Algorithm to compute the winning strategy. 
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Figure 3: Illustration of the iterates of the fixpoint computation. 



is called recursively. The iterates of Y in the recursive call during the computation of Y,j are denoted 
Yij,o ■ ■ ■ Yij.r. for i G { 1 , 2} and j € {0, . . . Q}. 

Figure [3] illustrates the intuitive meaning of the iterates. As long as a\ and a2 hold, it is possible 
to proceed to the next lower iterate of F,. Y2 is reachable from Y\ \ and Y\ is reachable from F2,i- The 
resulting cycle allows to visit b\ and bi infinitely often. If «2 is not satisfied, the next lower iterate of 
Y2 may not be reachable. Not reaching b2 ever again is fine if ai is also never satisfied again. However, 
the other Streett pair still has to be handled. This is ensured through the iterates from the recursive step. 
Figure [3] shows them for 72,2 only. If a\ holds, it is possible to proceed to the next lower iterate of F2,2 
and from F2.2.1 back to Y%£. This cycle ensures that b\ is visited infinitely often if a\ holds infinitely often 
but <32 does not. Analogously for all other iterates Y{j. 

To define a strategy, we introduce one bit m of memory, m = means b\ should be fulfilled next, 
m = 1 means ^2 should be fulfilled next. The strategy is composed of several parts, which we enumerate 
in the following table. They are prioritized from top to bottom. If a particular sub-strategy cannot be 
applied (because of violated assumptions), the next one is tried. 
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Nr. 


present state in: 


next state in: 


informal description 


1 


F u \F u _i,-.m 


Y\,i-\,^m 


step towards b\ 


2 


Y 2> i\Y 2 ,i-i,m 


Y 2 ,i-i,m 


step towards b 2 


3 


F u ,-.m 


Z,m 


b\ reached; switch towards b 2 


4 


Y 2 ,um 


Z,^m 


b 2 reached; switch towards b\ 


5 


Y\.i.j Y\.i.l I- »> 


Y\ .i.i i- »> 


-i«i; sub-game towards b 2 


6 


Y2,ij\Y 2 ,i,j-i,m 


Y 2 jj-i,m 


-<a 2 ; sub-game towards b\ 


7 


Y UjU ^m 


Y u ,^m 


b 2 reached in sub-game 


8 


Y 2,iA,m 


Y 2 j,m 


b\ reached in sub-game 


9 


Y\.i.j Y\.i.l I- »> 


Yijj,^m 


-iai,-ifl2; stay 


10 


Y 2 jj\Y 2 jj-i,m 


Y 2,ij,m 


-i<32, ""31 ; stay 



5 Example of Robust Synthesis 

To demonstrate our approach, this section gives an example. Consider the specification of a full- 
handshake protocol with a request input signal r and a grant output signal g. For the environment, the 
safety assumption A\ = G((r A->g — > Xr) A (->rAg — >X~<r)) and the fairness assumption A 2 = G F(-irV 
-ig) are defined. The system has to satisfy the safety guarantee G\ = G((-r A~>g — > X~<g) A (rAg — ^ Xg)) 
and the fairness guarantee G2 = G F((r Ag) V (-ir A->g)). Combining the assumptions and the guarantees 
results in the specification q> = A\ AA 2 — > G\AG 2 . 

First, the specification is transformed into a one-pair Streett game. In this example there is no need 
for a counting construction, since there is only a single fairness assumption and guarantee. Figure |4ja) 
illustrates the encoding of the safety properties in the transition relation of the Streett game. The first bit 
of each state corresponds to the request signal r and the second bit to the grant signal g. For example, 
the transitions require that, if there is a request, r has to stay high until the request is granted. 



[ooj< \0 1 J 

& — tr3 



(a) (b) 

Figure 4: arbiter example (a) Encoding of the safety properties in the transition relation, (b) Extension 
of the state space. 




52 



Synthesizing Robust Systems with RATS Y 



The following step is to extend the state space with the variables ok e and ok s , as shown in Figure 
|4|b). The third bit of each state corresponds to the signal ok e , which encodes an error caused by the 
environment. If this bit is true, no error occurred. Black solid lines indicate that there is no system error 
(ok s = 1) and red dashed-lines indicate that there is one (ok s = 0). Colored states represent states where 
an environment error has occurred. E.g., assume we start in state 101. In this state, a request occurred 
which has not been granted yet, and no environment error occurred. The safety assumption prohibits the 
environment from lowering the request. If it does anyway, depending on the choice of the system, either 
the state "010" or "000" is entered, which are both colored states. 

Next, the winning region and the strategy are computed. Figure [5] illustrates the iterates of the fix- 
point computation. We have a\ = ->(rAg),bi = (rAg)V (-ir A~>g),a2 = ->ok s ,b2 = ~<ok e . To illustrate 
strategy computation, we consider the following scenario. Assume that m = 1 and the arbiter is in a state 
out of 72,2^2,1- The value of m = 1 dictates to visit a state out of Y2,\ next, if possible. Y% t \ contains all 
states with an environment error. If we assume that the environment always behaves correctly, the set 
F2,i becomes unreachable. In order to win the game anyway, the system is not allowed to make a mistake 
either, so the arbiter stays in 72,2- This way the second Streett pair ((-iok s ), (->ok e )) is fulfilled, because 
both sets are only visited finitely often. To win the game, the first Streett pair also has to be fulfilled. 
Therefore the subgame is entered, trying to reach states in b\ while staying in Y%^. Through the loop in 
72,2 > it is possible to visit these states infinitely often, fulfilling the first Streett pair as well. 




Figure 5: Illustration of the iterates of the fixpoint computation. 



6 Results and Conclusions 

We tested our implementation in RATS Y with an arbiter, with N request and acknowledge lines (cf. Sec- 
tion^. Table [T] compares the synthesis time (seconds) and the implementation size (lines of Verilog), 
with and without robustness. As expected, the robust approach takes more time and creates larger circuits 
than RATSY's original synthesis algorithm. This is due to the higher complexity of the new method. 
Simulating the synthesized systems shows that the number of system errors needed to recover after one 
environment error is really small. In most practical cases only one or even no system errors are needed. 

The original synthesis algorithm of RATSY gave no formal guarantees for robustness. The exten- 
sion presented in this paper guarantees that synthesized systems are correct-and-robust-by '-construction. 
This comes at the cost of larger circuits and longer synthesis times, due to the increased computational 
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Table 1 : Performance results 



NT 


slZC W/U iUUUslllCaa 


slZC Willi 1UUUSL11C&& 


L1111C W/U lUUUaLllCas 


L1111C Willi iUULlalllCSa 


2 


85 


501 


0.04 


0.15 


3 


145 


1,234 


0.08 


1.07 


4 


230 


2,829 


0.14 


3.37 


5 


324 


5,614 


0.18 


11.13 


10 


1,072 


90,215 


0.81 


3,485 


15 


2,215 


6.2 -10 6 


3.30 


26,172 



complexity. Experimental results show that synthesized robust systems are able to recover with just very 
few system errors. In many practical cases, the ratio between system errors and environment errors is 
less than one. Since in practice, one has to be prepared for environment errors, guaranteed robustness is 
an important property enhancing the quality of a system. 
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